Presentation and submission of Research ProposalThe purpose of this Research Proposal is to develop a systematic plan that can be used to conduct primary research for the MBA management application portfolio industry analysis. You are not collecting data; this is merely a proposal to collect data. Include the following in your research proposal:My Topic is Data SecurityDesign a research question(s) about the topic selected formed as quantitative or qualitative.Share why this topic and research question is important for you.Present your review of the literature related to your topic. Apply critical thinking as you write at a synthesis level what you learned from the sources of knowledge reviewed. Aim for three themes drawn from the literature.You should include a minimum of 10-12 reputable sources, including academic, industry, and business publications. (Academic sources include juried journal articles.) Books may also be used if they are written by relatively well-known authors.Use APA 6th standard to format paper, e.g., titles, spacing, citations, and references. Double-spaced, consistent font throughout paper, 12 font size
out.pdf

schlrly_1.docx

1_s2.0_s0167923608002157_main.pdf

43665653.pdf

data_security_1.docx

1_s2.0_s0167923608002157_main.pdf

43665653.pdf

document.docx

method_for_improving_data_secu.pdf

the_faults_of_data_security_an.pdf

final_copy.docx

Unformatted Attachment Preview

A ND
Y
C
IVA
R
P
DATA SECURI
TY
UN
DE
R
CloudCom
“Cloud computing” is a catch-phrase for accessing IT resources such as software, application development, and
infrastructure over the Internet. The cloud promises easy,
on-demand access to powerful technology at less cost than
homegrown IT systems. The former U.S. chief information
officer likened it to the running water of the information
age (Kundra 2010). But moving to the cloud is essentially
outsourcing. And as in any outsourcing arrangement,
cloud computing carries a range of business and legal risks
(see, e.g., Porter and Larner 2011). This article focuses on
just one: privacy and data security compliance.
The bottom line is that moving to the cloud in no way
alters an institution’s privacy and data security obligations, but it does force an institution to rely on the cloud
provider for compliance. Because U.S. privacy and data
security law is a patchwork, the first step is to identify the
College & University | 10
By Joel Buckman and Stephanie Gold
This article outlines privacy and data security compliance issues
facing postsecondary education institutions when they utilize
cloud computing and concludes with a practical list of do’s and
dont’s. Cloud computing does not change an institution’s privacy
and data security obligations. It does involve reliance on a third
party, which requires an institution to implement practical and
legal protections to facilitate compliance with such obligations.
mputing
THE LEGAL FRAMEWORK AND
PRACTICAL DOS AND DON’TS
institution’s obligations with regard to the information
moving to the cloud. Institutions then should attempt—
and in some cases will be required by law—to obtain sufficient contractual guarantees that the cloud provider
will comply with any such requirements. However, cloud
providers may be reluctant to provide such guarantees or
may do so only at a price, perhaps undermining some of
the cloud’s benefits. Particularly in those cases, whether to
move to the cloud comes down to a cost-benefit analysis.
Developing a process-based approach will help institutions make good decisions.
The first part of this article explains the basics of cloud
computing and U.S. privacy and data security law; the second part focuses on cross-cutting cloud computing privacy and data security risks and provides a more in-depth
analysis of the Family Educational Rights and Privacy Act
College & University | 11
(FERPA); the final section provides a list of cloud computing do’s and don’ts. The chart at the end of the article summarizes the cloud implications of privacy and data security
laws commonly applicable to colleges and universities.
THE BASICS
Cloud Computing
Cloud computing is an evolving concept, and definitions
abound (Katz, Goldstein and Yanosky 2009). A straightforward if over-simplified definition is the “delivery of
scalable IT resources over the Internet, as opposed to hosting and operating those resources locally” (EDUCAUSE
2009). Typically, cloud computing is discussed in terms
of three service and four deployment models. Institutions
should understand the basics of these models because they
can affect the level of control the institution will retain
over privacy and data security ( Jansen and Grance 2011).
The three service models are Software as a Service
(SaaS), Platform as a Service (PaaS), and Infrastructure
as a Service (IaaS). SaaS involves the use of prefabricated
software and applications over the Internet (think Internet-based e-mail like Yahoo!); PaaS involves an Internet
platform from which the customer develops and deploys
software and applications (think Microsoft Azure); IaaS
involves more barebones IT structures delivered over the
Internet (think servers, network equipment, CPUs). (An
analogy to manufacturing might help clarify: Under the
SaaS model, the provider offers a fully furnished, prefabricated house; under the IaaS model, the provider offers
a completely built house, but the end user is free to furnish it and otherwise outfit it as he sees fit; under the PaaS
model, the provider offers just the raw materials for the
house and the end user can help design it from the ground
up.) Generally, SaaS offers the institution the least control
over security settings, IaaS offers institutions the most
control, and PaaS falls somewhere in between.
The service models can be deployed over a public
cloud, a community cloud, a private cloud, or a hybrid
cloud. Most relevant to higher education institutions are
public clouds (open to all), private clouds (limited to,
and in some cases built for, a particular user), and community clouds (limited to, and in some cases built for, a
group of users with common business and compliance
needs). The fourth deployment model, a “hybrid cloud,”
is a “composition of two or more clouds (private, community, or public)” that remain unique entities but are
bound by “standardized or proprietary technology that
enables application and data portability among them”
( Jansen and Grance 2011). Public clouds offer institutions
the least control over privacy and security settings; hybrid
clouds are tailored to an institution’s needs and may offer
more control; and private clouds offer the most control.
Notably, a number of major cloud providers have rolled
out cloud solutions geared toward higher education (see,
e.g., Google Apps for Education at and cloud computing in education at
).
Clouds offer on-demand, scalable, powerful, pay-asyou-go (sometimes free) IT resources. For example, Internet-based e-mail services offer megabytes of storage space
that can be accessed via any Internet connection for free
at the click of a mouse. At the institutional level, clouds
allow institutions access to IT without a large up-front
capital investment or the requirement to lock in longterm fixed costs. Home-grown IT no longer needs to predict usage requirements or to host or maintain software
on campus servers and computers (EDUCAUSE 2009). But
with these benefits come risks: Cloud providers store immense amounts of valuable data and may become targets
for hackers ( Jansen and Grance 2011); providing resources
over the Internet requires more administrative and technical layers and, thus, more access points to private data
( Jansen and Grance 2011); and cloud providers are able to
provide services cheaply in some cases by aggregating and
mining data.
U.S. Privacy and Data Security Law
U.S. privacy and data security law is in fact a patchwork
of sector-specific federal laws, diverse state laws with numerous jurisdictional hooks, and various self-imposed
requirements (typically by contract). To the extent that
such laws apply “on the ground,” they also apply “in the
cloud.” Further, because many colleges and universities are
engaged in a wide range of activities, they are subject to
many sector-specific privacy and data security laws. Such
laws include:
WWthe Family Educational Rights and Privacy Act
(FERPA), which applies to certain education insti-
College & University | 12
tutions and protects education records (20 U.S.C. §
1232g; 34 C.F.R. part 99);
WWthe Gramm-Leach-Bliley Act (GLBA), which applies
to financial institutions and protects certain nonpublic personal information (15 U.S.C. §§ 6801–09;
16 C.F.R. part 313);
WWthe Red Flags Rule, which applies to debit and credit
card issuers, users of consumer reports, and financial
institutions and creditors holding covered accounts
and requires identity theft prevention measures
(15 U.S.C. § 1681m(e); 16 C.F.R. part 681);
WWthe Health Insurance Portability and Accountability Act (HIPAA) and the Health Information
Technology for Economic and Clinical Health Act
(HITECH), which apply to, among others, certain
healthcare providers and protects certain health information (42 USC § 1320d et seq.; 45 C.F.R. parts
160, 162, 164);
WWstate data breach notification laws: 46 states, the
District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted some form of legislation requiring certain entities—e.g., those doing business in
the state or storing one of its resident’s data—to give
certain notice to consumers affected by a data breach
(see for
a listing of such laws);
WWstate data security laws: several states have enacted
more general data security laws, typically applying
to entities doing business in the state or owning or
licensing data about state residents (e.g., 201 Code
Mass. Regs. §§ 17.01–17.05); and
WWstate privacy laws: certain states have enacted either
general privacy laws or laws applicable to certain
types of information, such as health records, mental
health records, or education records (see, e.g., Electronic Privacy Information Center, State Privacy
Laws, at ).
See the chart at the end of this article, which explains
the general applicability, basic protections, and cloud
computing implications of such laws.
These laws typically provide some mix of protections,
including data security requirements and/or rights of privacy, access, or correction. In certain cases—for example,
HIPAA—laws specifically require that an institution bind
service providers to follow the laws’ mandates.
In addition to these laws and regulations, institutions
may have contractual obligations to students or others
that specify privacy or data security standards. For example, the payment card industry requires merchants to
comply with the Payment Card Industry Data Security
Standard (PCI/DSS). PCI/DSS requires merchants to implement prevention, detection, and appropriate reaction
to security incidents. Student handbooks and IT terms of
use and privacy policies are other potential sources of selfimposed requirements.
Many colleges’ and universities’ activities are sufficiently varied to implicate much of the patchwork. For example, many institutions participate in the federal Perkins
Loan Program or provide institutional loans to students
or faculty that may trigger the Gramm-Leach-Bliley Act
and the Red Flags identity theft prevention rules (Meers
and Meade 2008). A student health center may be subject
to HIPAA with regard to treatment of faculty and staff and
to FERPA with regard to treatment of students. Because institutions commonly welcome students from all over the
country, various state data security laws may apply regardless of where the institution actually provides its services.
And if the institution accepts credit card payments for
tuition and fees, then it likely is also subject to PCI/DSS.
The list goes on. In short, because of the breadth of many
colleges’ and universities’ activities, multiple privacy and
data security regimes may apply to various IT functions
that might “move to the cloud.” Consultation with legal
counsel should be a central feature of any plan to utilize
cloud computing.
CLOUD COMPUTING PRIVACY AND DATA SECURITY
Cross-Cutting Privacy and Data Security Issues
Nearly all cloud computing privacy and data security risks
share a common origin. Moving to the cloud in no way
changes an institution’s privacy and data security obligations ( Jansen and Grance 2011), but it does force the institution to rely on a third party for compliance. Thus,
colleges and universities must (1) identify applicable
privacy and data security requirements, (2) conduct due
diligence of the provider’s compliance package, and (3)
negotiate effective contractual provisions—including ef-
College & University | 13
fective remedies for noncompliance—to ensure that the
provider will execute. Although this sounds straightforward, a number of the cloud’s features complicate matters,
including the following:
WWEasy deployability means unauthorized deployments.
Precisely because cloud resources are easy to deploy,
various campus constituencies might move to the cloud
without considering the privacy and data security implications of doing so (Young 2011). This can be especially problematic at “flat” organizations—which many
colleges and universities are. For example, a professor
might begin to communicate grades to students by way
of a free, commercially available file-sharing service,
such as Dropbox. This may result in the storage of “education records,” implicating FERPA.
WWData location: The cloud model works in part because
data can skip around the world instantaneously ( Jansen
and Grance 2011). An institution’s home jurisdiction
may prohibit such transfers, and the transferee jurisdiction may provide less protection from government
intrusion or impose fewer data security requirements
on the provider. And because physical location is a traditional jurisdictional test, the location of a provider’s
servers could subject an institution to the laws of a
“strange” jurisdiction. Even if it is unlikely that a provider’s unilateral (and possibly unknowing) transfer of
data to a server in a faraway jurisdiction would subject
the customer to that jurisdiction’s laws, the provider
should arguably bear that risk. (The cloud provider
would likely already be subject to the laws of any jurisdiction where it maintains servers.) The U.S. Department of Education recently suggested that in its view
a cloud computing “best practice” is to store sensitive
education records within the United States (U.S. Department of Education 2012).
WWData ownership & secondary uses. Some public cloud
providers rely on data mining to create revenue streams.
Data mining ranges from behavioral advertising to the
outright sale of personally identifiable information.
This model presents compliance challenges for data
security laws that prohibit the use of data for any purpose other than that for which the data were collected
(“secondary use”). Institutions should be wary of provider agreements that claim ownership or license of the
institution’s data and should consider whether some
contractual limit on secondary use is necessary or desirable ( Jansen and Grance 2011). Be aware of indirect
ownership claims, as when a SaaS provider seeks to own
software outputs created by subscriber data inputs.
WWLoss of control and lack of transparency: Like any outsourcing arrangement, a cloud customer cedes control
of some processes to the provider. Where an institution
once had the power to allocate resources and develop
a data security regime appropriate to its size and risk
profile, on the cloud it must rely on the provider’s human, physical, administrative, and technical resources
(Cloud Security Alliance 2010, Jansen and Grance
2011). Where an institution once had physical possession of its data, it now must rely on a provider not to
hold its data hostage in the event of a contract dispute
and/or at the end of the relationship. Trust must fill the
gap. Effective pre- and post-contract diligence can create trust. But for various reasons, cloud providers may
be reluctant to allow rigorous diligence ( Jansen and
Grance 2011). Independent third-party audits may constitute one solution; a provider’s reputation may constitute another. Still, the institution should negotiate
mechanisms whereby it confirms that security controls
are implemented and contractual promises are kept.
WWData security risk profile: Some argue that the cloud
provides less security than on-the-ground computing
because it adds layers of administrative and technical
complexity, is portable, and becomes a target for hacker
attacks. Others contend that cloud providers are by necessity expert at data security and provide much greater
protection than any home-grown IT department
(Winkler 2011). At the very least, the cloud does raise
different data security concerns than on-the-ground
computing. For example, cloud providers often achieve
economies of scale by storing multiple subscribers’ data
on the same server and segregating the data exclusively
through technical (as opposed to technical and physical) means ( Jansen and Grance 2011). But one cannot
say that storing information in the cloud is like storing
money in a bank (as opposed to a mattress) because
some colleges and universities already have vaults. Thus,
an institution’s IT professionals should conduct a caseby-case comparative analysis.
WWRefusal of providers to negotiate: Finally, although a
contract is critical to achieve privacy and data security
College & University | 14
compliance, many cloud providers offer one-sided,
form contracts with little room for negotiation ( Jansen
and Grance 2011). This is particularly true for the public, SaaS, out-of-the-box offerings. Providers assert that
standardization helps keep down costs. In certain cases,
contracts give providers the right to amend unilaterally,
creating the potential to undermine any privacy or data
security obligations an institution might obtain. Contracts also may not provide effective remedies or indemnification for breaches by the provider. (See Jansen and
Grance 2011 for a more comprehensive examination of
the cautionary implications of cloud computing.)
That said, large cloud providers increasingly are attempting to meet colleges’ and universities’ needs. For example,
after initial resistance, Google reportedly agreed to comply with FERPA in its provision of Gmail to postsecondary
institutions (DeSantis 2012, Mitrano 2009). A number of
major cloud providers now have sites dedicated to education institutions, and institutions are uniting to negotiate
with cloud providers. This represents progress but likely
does not signal the end of problematic unilateral contracts.
For now, when an insufficient contract is all that is available, an institution must consider whether it is legally possible and prudent to proceed. Institutions should weigh
the sensitivity of the information involved, the potential
exposure in the event of a problem, and the cloud provider’s reputation. Sometimes an institution should proceed;
sometimes an institution should look to a different cloud
service or delivery model; and sometimes an institution
should stay “on the ground.”
The FERPA Example
Because FERPA applies to most colleges and universities,
it provides a useful example of how to evaluate a privacy
law when moving to the cloud. FERPA protects “education records” (see 34 C.F.R. § 99.3), so the first question is
whether the relevant IT function involves such records.
If so, an institution must identify contractual and other
guarantees needed to ensure compliance.
Generally, education records are any information recorded in any way that is maintained by or on behalf of
an institution and that is “directly related to a student”
(see 34 C.F.R. § 99.3). This broad definition covers any
number of IT functions, including faculty and staff e-mail
(Gilbertson and Storch 2009), student information systems, grade books, extracurricular participation records…
the list goes on. But not all campus IT functions would
qualify: For example, a professor’s research database comprising of interviews with non-students likely would not
be subject to FERPA.
FERPA creates rights of privacy (34 C.F.R. subpart D ),
student access (34 C.F.R. part 99, subpart B ), and record
correction (34 C.F.R. part 99, subpart C). Cloud compliance for access and correction is relatively straightforward.
For access, an institution should contractually prohibit the
provider from unilateral records destruction and should
confirm that the service level agreement (SLA) would allow a student to inspect records within 45 days of a request (common SLAs would so allow) (Porter and Larner
2011). The contract also should prohibit the provider from
holding education records hostage in any contract dispute
or at the end of the relationship (34 C.F.R. § 99.10[b]). For
the right of …
Purchase answer to see full
attachment